Configuring IPSec on Juniper SRX for IBM SoftLayer Connectivity(2)

In this blog, I will provide a Juniper route-based VPN reference configuration when customer is using Juniper SRX Firewall for IPSec connectivity to Softlayer.

Softlayer End configuration, please refer to my another blog.

Configuring IPSec on Cisco IOS router for Softlayer Connectivity

Customer end: Juniper SRX Firewall (route based VPN)

 

  1. Create tunnel interface, VPN security zone and bind tunnel interface into VPN security zone

    set interfaces st0 unit 0 family inet

    set security zones security-zone vpn interfaces st0.0

    wKioL1OJsg7hhwNvAAGDe0zugXM586

  2. Phase 1set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys
    set security ike proposal ike-phase1-proposal dh-group group2
    set security ike proposal ike-phase1-proposal authentication-algorithm md5
    set security ike proposal ike-phase1-proposal encryption-algorithm 3des-cbc
    set security ike policy ike-phase1-policy mode main
    set security ike policy ike-phase1-policy proposals ike-phase1-proposal
    set security ike policy ike-phase1-policy pre-shared-key ascii-text “$9$OmpvBhyleWx-wvWjkq.5TRhSylMLxN-bsKvJG”
    set security ike gateway SL ike-policy ike-phase1-policy
    set security ike gateway SL address x.x.x.x
    set security ike gateway SL external-interface ge-0/0/0.0

    Note: x.x.x.x is SoftLayer IPSec Gateway IP

  3. Phase 2

    set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-md5-96
    set security ipsec proposal ipsec-phase2-proposal encryption-algorithm 3des-cbc
    set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group2
    set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal
    set security ipsec vpn SLVPN bind-interface st0.0
    set security ipsec vpn SLVPN ike gateway SL
    set security ipsec vpn SLVPN ike proxy-identity local 192.168.109.0/24
    set security ipsec vpn SLVPN ike proxy-identity remote 10.66.24.0/26
    set security ipsec vpn SLVPN ike proxy-identity service any
    set security ipsec vpn SLVPN ike ipsec-policy ipsec-phase2-policy
    set security ipsec vpn SLVPN establish-tunnels on-traffic

    Note: the proxy ID configuration is very important.

  4. Security Policy 1 (Outbound)

    set security address-book Trust address local_network 192.168.109.0/24
    set security address-book Trust attach zone trust

    set security policies from-zone trust to-zone vpn policy outbound match source-address local_network
    set security policies from-zone trust to-zone vpn policy outbound match destination-address any
    set security policies from-zone trust to-zone vpn policy outbound match application any
    set security policies from-zone trust to-zone vpn policy outbound then permit

     

  5. Security Policy 1 (Inbound)

    set security policies from-zone vpn to-zone trust policy inbound match source-address any
    set security policies from-zone vpn to-zone trust policy inbound match destination-address local_network
    set security policies from-zone vpn to-zone trust policy inbound match application any
    set security policies from-zone vpn to-zone trust policy inbound then permit

    Note: this any-any rule is only for illustration.

  6. Routing

    set routing-options static route 0.0.0.0/0 next-hop 10.1.1.1
    set routing-options static route 10.66.24.0/26 next-hop st0.0

  7. Verify IPSec status

    root@SRX1> show security ike sa
    Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
    3878661 UP     4fe84303034a5be3  8674368c9212747f  Main           x.x.x.x
    3878662 UP     417c49e6abd24de3  ad718e32b2c94602  Main           x.x.x.x
    3878675 UP     c74fa9e1cbac457b  8eab37fe32b29aa3  Main           x.x.x.x

    root@SRX1> show security ipsec sa
    Total active tunnels: 1
    ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
    <131073 ESP:3des/md5  c25f6085 704/  unlim   –   root 4500  x.x.x.x
    >131073 ESP:3des/md5  ebf61035 704/  unlim   –   root 4500  x.x.x.x

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s